Hi Felipe,
Thanks a lot for your guidance. Yes changing SecRequestBodyAccess to "off" use to start the application again. I was not using any other module on IIS. My dynamic compression was set to off. But yes, the suggestion mentioned in the link regarding "SecStreamInBodyInspection On" solved my issue. All I have to do now is understand what all places its gona hit me, because in our application user can upload GBs of videos as well. Regards, Neeraj Chaudhary +1 925 359 9074 From: Felipe Costa [mailto:fco...@trustwave.com] Sent: Monday, May 19, 2014 12:37 PM To: Neeraj.Chaudhary Cc: <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] JSON issues on mod_security Hi Neeraj, Can you double check if the application is receiving the request body at all? are you using others IIS modules in combination with ModSecurity? There is a bug opened, regarding to the ModSecurityIIS module and request body contents. The link to the bug is available here: https://github.com/SpiderLabs/ModSecurity/issues/562 Check if, by setting SecRequestBodyAccess to "off" your application starts to perform well again. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On May 19, 2014, at 4:09 PM, Neeraj.Chaudhary <nee...@rockonllc.com <mailto:nee...@rockonllc.com> > wrote: Hi, It's been few days trying to figure out what is going wrong and where, but now I am stumped and need help from you guys. I am using mod_security on ISS version 8.0.9200.16384. The same code works fine without mod_security but as soon as I enable mod_security I get the below mentioned response. Which shows that the parameter userName is not proper. I debugged and looked into all possible concerns but unable to find an error. I am using jQuery AJAX {"Message":"Invalid web service call, missing value for parameter: \u0027userName\u0027.","StackTrace":" at System.Web.Script.Services.WebServiceMethodData.CallMethod(Object target, IDictionary`2 parameters)\r\n at System.Web.Script.Services.RestHandler.InvokeMethod(HttpContext context, WebServiceMethodData methodData, IDictionary`2 rawParams)\r\n at System.Web.Script.Services.RestHandler.ExecuteWebServiceCall(HttpContext context, WebServiceMethodData methodData)","ExceptionType":"System.InvalidOperationException"} Request Body : {"userName": "neeraj.chaudhary", "password": "Abcd123"} Aspx webmethod signature is [WebMethod] public static string Login(string userName, string password) I shall be delighted if someone can point out what can be done in this case. Maybe change in rule or anything which can help me pass through this scenario. Regards, Neeraj Chaudhary +1 925 359 9074 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org <mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _____ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
